[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
can't have a proper SSL connexion to the Server
- To: OpenLDAP-software@OpenLDAP.org
- Subject: can't have a proper SSL connexion to the Server
- From: Simon Chevrolat <simchevrolat@yahoo.fr>
- Date: Sat, 30 Jul 2005 10:14:43 +0200 (CEST)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.fr; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=N2s1OtjRrFoFsfc7w+nHBkb11X6CT4UE58yhHI3ygl7BBDHDzc7JNhxwP1YE5kaKpVIhgbfp6qr+TntoUDVjLHPzpnrKfu4aGAbkkHv4ijBSv9aRGunIbysqxx6SbEVEconU0RJmqnNhV7kw5c5ovIvRayWYUdI08lydbeeeNCo= ;
hi !
I've got a problem in the configuration of OpenLdap to
manage SSL connections, when I try to test this
connection with the ldapadd command, I've got the
following output :
---------------------------------------------------------------------------------
ldapadd -x -D "cn=Manager,dc=localhost" -W -f
init.ldif -H ldaps://localhost
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
-----------------------------------------------------------------------------------
the problem is that it doesn't seem to be a domain
name or certificate problem, indeed when I test the
connection withe the openssl command using the same
certificates as the ones in ldap.conf ,it seems it's
working :
-----------------------------------------------------------------------------------
openssl s_client -connect localhost:636 -state
\-CAfile
/home/certs/cacert.pem \-cert
/home/certs/ldap.client.cert.pem \-key
/home/certs/keys/ldap.client.key.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
verify return:1
depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
i:/C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEjCCAnugAwIBAgIBATANBgkqhkiG9w0BAQQFADBZMQswCQYDVQQGEwJBVTET
MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMDUwNzI5MTU1OTEyWhcNMDYw
NzI5MTU1OTEyWjBZMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEh
MB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDEwlsb2Nh
bGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKnNycNLhqil4QPZX6ua
pM/Zbl84dutyiiG1D7WMFKxuydUV/VeQ0yWj/b0t9UTQCH/33wmAaAc1XHorG4Fu
aQ9KIEKArEKCsN6tke3M6k4maluI9VSmkkgbRIPHsmk+Fn/UrxGddGqWZl3dh7kx
f7NnHqJOTJvgStpnPpqgRGHdAgMBAAGjgekwgeYwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FBIaB1VKo2riZqP0NArpsFj6QniGMIGLBgNVHSMEgYMwgYCAFLd4FmiTzrbk24It
eAfO7GHn86ivoV2kWzBZMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0
ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDEwls
b2NhbGhvc3SCCQD8s2iOGWbNGzANBgkqhkiG9w0BAQQFAAOBgQBdf5HAu84hNGD/
Wr5poQVyYyBSSPRmJM1QhoMXspob8Mv73Y5+AYNQCGogQJKYqhzcwxXcheGi9TYg
O4VWMO1g/yXPBoH02Fswjsx6YGIgvp4IRP8SvizP0m1cNWdflmKUb6wLYXxLV1eK
k9MJ6cw4TKX6KlfFVfqh608o2gHigQ==
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
---
Acceptable client certificate CA names
/C=AU/ST=Some-State/O=Internet Widgits Pty
Ltd/CN=localhost
---
SSL handshake has read 1055 bytes and written 2040
bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
7C248C0FEF820E479F5D0BAACD58C06F799DB2AF9A4ABA19C3E66578ED2076F9
Session-ID-ctx:
Master-Key:
40F15ACE414D999490797142179E0AC3157BC2A0EAABE1E27740C57E9A19F4FB757FE99D374A20ADE1732F0229C612B8
Key-Arg : None
Start Time: 1122655803
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
------------------------------------------------------------------------------------
I think that it's a problem in the ldap.conf file, but
I checked it and did not find any mistake, I attached
to this message my ldap.conf and slapd.conf files
If anyone can see a solution to this problem I'll be
really grateful
Thanks
------slapd.conf-----------------
#
# See slapd.conf(5) for details on configuration
options.
# This file should NOT be world readable.
#
include
/usr/local/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a
working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent
hijacking)
# Require 112-bit (3DES or better) encryption
for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read
it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default
policy
# allows anyone and everyone to read anything but
restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# CA signed certificate and server cert entries:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile
/usr/local/var/openldap-data/cacert.pem
TLSCertificateFile
/usr/local/var/openldap-data/servercrt.pem
TLSCertificateKeyFile
/usr/local/var/openldap-data/serverkey.pem
TLSVerifyClient demand
password-hash {SSHA}
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=localhost"
rootdn "cn=Manager,dc=localhost"
# Cleartext passwords, especially for the rootdn,
should
# be avoid. See slappasswd(8) and slapd.conf(5) for
details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}n45IDxYSncEJvsWSeUa++gSZ6EbFOxR5
# The database directory MUST exist prior to running
slapd AND
# should only be accessible by the slapd and slap
tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
----ldap.conf-------
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world
writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com
ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
HOST localhost
PORT 636
TLS_CACERT /home/certs/cacert.pem
TLS_REQCERT demand
TLS_CERT /home/certs/ldap.client.cert.pem
TLS_KEY /home/certs/keys/ldap.client.key.pem
___________________________________________________________________________
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez cette version sur http://fr.messenger.yahoo.com